samba - Apr 2016 - Automatic sysvol replication through detection of filesystem events

I thought this can be useful to someone, so here it goes.

I am using automatic SysVol replication with the help of "watcher", a 
recursive incron.

https://github.com/splitbrain/Watcher

"Watcher is a daemon that watches specified files/folders for changes 
and fires commands in response to those changes. It is similar to 
incron, however, configuration uses a simpler to read ini file instead 
of a plain text file. Unlike incron it can also recursively monitor 
directories."

Watcher needs "python-inotify". Install it using your package manager.



Follow the general instructions for SysVol replication on the Samba WiKi:

https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround

Please note that the rsync command line will have to be sligthly 
modified. Since the SysVol events will be detected on the source DC, 
replication will be made in push mode, not in pull mode as per the Samba 
Wiki.

Test the rsync command line manually before automating it. Since we are 
using "--delete-after", a mistake can be catastrophic for your target 
system. Use --dry-run and -v (verbose) on the command line, like this:

/bin/rsync --dry-run -XAavuz --delete-after 
--password-file=/usr/local/samba/etc/rsync-sysvol.secret 
/usr/local/samba/var/sysvol/ 
rsync://sysvol-replication@[IP_OR_NAME_OF_DESTINATION_DC]/SysVol/

Once you are happy with the results, you can remove "--dry-run" and -v
(this can cause a very large watcher log file, but you can keep it if 
you like) from the rsync command line and use the form included in 
watcher.ini.

Put "watcher.py" and "watcher.ini" in a secure place, giving
them
appropriate permissions.

Edit "watcher.ini" according to your needs. I have the following:


; ----------------------
; General Settings
; ----------------------
[DEFAULT]

; where to store output
logfile=/tmp/watcher.log

; where to save the PID file
pidfile=/tmp/watcher.pid

; ----------------------
; Job Setups
; ----------------------

[SysVol_Replication]
; directory or file to watch.  Probably should be abs path.
watch=/usr/local/samba/var/sysvol

; list of events to watch for.
; supported events:
; 'access' - File was accessed (read) (*)
; 'attribute_change' - Metadata changed (permissions, timestamps, 
extended attributes, etc.) (*)
; 'write_close' - File opened for writing was closed (*)
; 'nowrite_close' - File not opened for writing was closed (*)
; 'create' - File/directory created in watched directory (*)
; 'delete' - File/directory deleted from watched directory (*)
; 'self_delete' - Watched file/directory was itself deleted
; 'modify' - File was modified (*)
; 'self_move' - Watched file/directory was itself moved
; 'move_from' - File moved out of watched directory (*)
; 'move_to' - File moved into watched directory (*)
; 'open' - File was opened (*)
; 'all' - Any of the above events are fired
; 'move' - A combination of 'move_from' and 'move_to'
; 'close' - A combination of 'write_close' and
'nowrite_close'
;
; When monitoring a directory, the events marked with an asterisk (*) above
; can occur for files in the directory, in which case the name field in the
; returned event data identifies the name of the file within the directory.
events=attribute_change,create,delete,modify

; Comma separated list of excluded dir. Absolute path needed.
; Leave blank if no excluded dir setted
excluded
; if true, watcher will monitor directories recursively for changes
recursive=true

; if true, watcher will automatically watch new subdirectory
autoadd=true

; the command to run. Can be any command. It's run as whatever user 
started watcher.
; The following wildards may be used inside command specification:
; $$ dollar sign
; $watched watched filesystem path (see above)
; $filename event-related file name
; $tflags event flags (textually)
; $nflags event flags (numerically)
; $cookie event cookie (integer used for matching move_from and move_to 
events, otherwise 0)
command=/bin/rsync -XAauz --delete-after 
--password-file=/usr/local/samba/etc/rsync-sysvol.secret 
/usr/local/samba/var/sysvol/ 
rsync://sysvol-replication@[IP_OR_NAME_OF_DESTINATION_DC]/SysVol/



As you can see under the "events" section, we are monitoring creation,
deletion, modification and attribute changes of files and directories 
inside sysvol.

Start the watcher.py daemon, giving as a parameter the location of 
"watcher.ini":

/somefolder/watcher.py -c /somefolder/watcher.ini start

You can now watch the results. Input the following at the source DC 
(attention, your paths may differ):

mkdir /usr/local/samba/var/sysvol/newdir
touch /usr/local/samba/var/sysvol/newdir/newfile
rm -f /usr/local/samba/var/sysvol/newdir/newfile
rmdir /usr/local/samba/var/sysvol/newdir

Creation and deletion of files and folders will be immediately mirrored 
on the target DC.

You can either make all Group Policy edits in the source AD DC or use 
this as a basis for implementing bidirectional SysVol replication.

Don't forget to script the startup of watcher at boot time. In CentOS, 
for example, you can include the startup line in the 
"/etc/rc.d/rc.local" file.

Again: TEST THE RSYNC COMMAND LINE with "--dry-run" and
"-v".